Fancy Product Designer, a WordPress plugin installed on over 17,000 sites, has been discovered to contain a critical file upload vulnerability that’s being actively exploited in the wild to upload malware onto sites that have the plugin installed.
Fancy Product Designer is a tool that enables businesses to offer customizable products, allowing customers to design any kind of item ranging from T-shirts to phone cases by offering the ability to upload images and PDF files that can be added to the products.
Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed,”
An attacker can achieve remote code execution on an affected website, allowing full site takeover,Wordfence has not shared the technical specifics of the vulnerability as it’s under active attack.
Wordfence said that the critical zero-day could be exploited in select configurations even if the plugin has been deactivated, urging users to completely uninstall Fancy Product Designer until a patched version becomes available.
Earlier this year, researchers revealed vulnerabilities in Elementor and WP Super Cache that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios.